Back to Blog

Iron-clad BMS Cybersecurity in the IoT World

Image of Patrick Carriere
Patrick Carriere

As the built environment becomes ever more connected through Internet of Things (IoT) technology, building management system cybersecurity has become a considerable concern. There are now myriad examples of bad actors using vulnerable IoT networks to gain access to valuable data and cause harm. 

This was the case when cybercriminals accessed a Las Vegas casino’s database of high rollers through an IoT thermometer in the casino’s fish tank. In another incident, malicious actors infected IoT devices with malware to carry out distributed denial of service (DDoS) attacks. The attacks temporarily brought down Dyn, one of the largest domain name service providers in the United States, and affected major websites across North America.

Cybersecurity legislation, like the IoT Cybersecurity Improvement Act of 2020, seeks to address such problems by setting security guidelines for IoT devices. These guidelines focus on configuration of systems, identity management, software patches, and reporting and will undoubtedly go a long way toward minimizing vulnerabilities. But cybersecurity is an evolving landscape, and the layering of technologies within smart buildings introduces unique risks. Building owners must proactively address building management system cybersecurity issues to protect people and assets. 

Building Management System Cybersecurity

Cybersecurity risks are not new. The proliferation of IoT devices, however, has led to new vectors through which attacks can take place. Using an experienced master systems integrator during the design phase of a new building or retrofits of existing structures will negate many of these new and evolving risks associated with installing smart HVAC, lighting, access control, and other building systems. 

Vulnerabilities in Smart Buildings

To make a building more secure, its vulnerabilities must first be identified, especially those related to the centralized BMS. 

Common vulnerabilities include: 

  • Ignorance about cybersecurity risks of connected devices and systems.
  • Inadequate security related to device discovery allows cybercriminals to perform reconnaissance.
  • Inconsistent software updates.
  • Insufficient encryption policies and procedures.
  • Lack of cybersecurity training.
  • Limited or nonexistent protection against unauthorized physical access to devices or networks.
  • Poor cybersecurity practices, such as not changing default passwords, using the same passwords for multiple purposes, misconfigured remote access, and unregulated use of universal plug and play (UPnP) protocols.
  • Weaknesses inherent in certain devices’ software, network gateways, and web services.

These system vulnerabilities must be counteracted by robust cybersecurity practices.

IoT Cybersecurity Guidelines

Once the threats to a building’s network have been ascertained, mitigating dangers becomes easier. While the needs of each building are unique, you can optimize building management system cybersecurity by following a few basic guidelines. 

  • Segment building networks. Bad actors use malware to target many IoT devices, as they often lack inbuilt security. This often involves malware that scans for open ports, uses devices for brute force attacks, or conducts DDoS attacks. As anti-virus software cannot be installed in IoT devices’ firmware, segmenting building networks to limit damage from potential malware is advisable.
  • Use strong passwords. Default or weak passwords allow easy access for cybercriminals through brute force or dictionary attacks. Choosing strong passwords and using a different password for each device minimizes risk.
  • Strengthen asset management processes. Detecting and managing IoT devices is a key function of building management systems. Cybersecurity threats sometimes occur due to installation of rogue devices that operate within the network. Strengthening asset management processes improves your system’s ability to detect these malicious devices.
  • Use a secure boot process. Devices that lack a secure boot process pose a security risk. While inbuilt boot codes offer greater security, they limit devices’ ability to update security patches for newly discovered vulnerabilities. Enabling the secure boot process using a device’s default mode proves legitimacy and establishes trust.
  • Protect communication ports. Exposed communication ports used by IoT devices allow cybercriminals to gain access. For this reason, physical access to communication ports should be limited. Ensuring that these devices only communicate with authenticated and authorized entities is also recommended.
  • Encrypt data. Unencrypted data can be intercepted in man-in-the-middle attacks or through other cyberspying methods. Encryption should thus be used whenever possible with IoT devices and the networks on which they communicate.
  • Use encrypted connections for software updates. Newer IoT devices support security updates. However, downloaded security patches may not use encryption, which increases the risk of cybercriminals modifying the device’s code. Software updates should therefore be conducted using an encrypted connection to prevent this.
  • Aggregate and review data. Abnormalities in communications coming from connected devices can indicate a cyberattack. But while IoT devices generate event log data, their distributed nature can make identifying irregularities difficult. Aggregating all IoT log data in a single location and regularly reviewing data flows makes it easier to spot anomalies. A smart building platform, like onPoint, is ideally suited for this task.

In addition to these practices, your team members should receive training to understand cybersecurity risks and their role in mitigating those risks.

Integration Is Key for Cybersecurity

Building management system cybersecurity is stronger when devices, systems, and applications work together to deal with threats. That means integration is key.

To stay ahead of cybersecurity threats, commercial building owners should partner with vendors whose products are designed for easy integration and who follow industry best practices for security. In many cases, this means using cloud-based platforms that work with open protocols and provide automatic security updates. Today, advanced integration platforms-as-a-service (iPaaS) are one of the best ways to unify building systems and add smart capabilities while offering an agile approach to IoT and BMS cybersecurity. 

With products and services from smart building experts, you can ensure you capitalize on the potential of cutting-edge technologies without compromising the security of your building, data, or occupants. 

Buildings IOT offers state-of-the-art solutions to optimize building management system cybersecurity. Contact our team of experts to learn more about what we can do for you.



Schedule a demo

Recent Posts

What's the Best Example of Building System Integration and Its Benefits?

Image of Clint Bradford
Clint Bradford

Anyone who understands IT knows how valuable centralized networks can be. They allow for greater...

Read more

Overcoming IoT Cybersecurity Vulnerabilities In Your Building

Image of Richard Miller
Richard Miller

The increasing connectivity of building control systems and the growing complexity of smart...

Read more